search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.43k stars 2.13k forks source link

Tokens with Invalid JSON payloads #13593

Closed alexhddev closed 1 week ago

alexhddev commented 3 months ago

Before opening, please confirm:

JavaScript Framework

Not applicable

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

None

Environment information

``` # Put output below this line ``` System: OS: Windows 10 10.0.19045 CPU: (8) x64 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz Memory: 20.56 GB / 31.88 GB Binaries: Node: 20.10.0 - C:\Program Files\nodejs\node.EXE npm: 10.5.0 - C:\Program Files\nodejs\npm.CMD Browsers: Edge: Chromium (126.0.2592.87) Internet Explorer: 11.0.19041.4355 npmGlobalPackages: @angular/cli: 17.0.5 aws-cdk: 2.148.0 generator-code: 1.8.0 npm: 10.5.0 ts-node: 10.9.1 typescript: 5.3.3 vsce: 2.15.0 yo: 5.0.0

Describe the bug

The tokens provided by Amplify have invalid payload and can't be used. Code to generate the tokens:

import { signIn, fetchAuthSession } from "@aws-amplify/auth";
import { Amplify } from "aws-amplify";

Amplify.configure({
    Auth: {

        Cognito: {
            userPoolId: "MyUserPoolId",
            userPoolClientId: "MyUserPoolClientId",
        },
    },
});

async function main(){
    await signIn({
        username: "MyUsername",
        password: "MyPassword",
        options: {
            authFlowType: "USER_PASSWORD_AUTH",
        }
    });

    const { idToken } = (await fetchAuthSession()).tokens ?? {};

    console.log(idToken?.toString());

}

main();

The code works without error but the provided idToken (and also the access token) is invalid and cannot be used - the app returns not authorized when used. Checking the token on JWT.io , I can see that it has an invalid payload. Example token: eyJraWQiOiJkTTc4WHJFQXBNZlFnNzc2cUpxK1FxcE90NWgrVzRSYlwvWlhHQ3pLcHJRbz0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1MTUJo5rHvqfmGuzHPYuJ8NVq2EvBsGzaV0MJbos6zr4r3b8QGLzLMwJkzTmb8PNpQTsmOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0yLfvtc6Q45YFjdT6YcEMVjtSE2CjbFcSioJl9ZeDBHNmWSRY2tRXtLdFsW7czHX42k1smmn1MiYW5kcmVzMTIzNCIsIm9yaWdpbl9qdGkiOiJhODNbJzGBWonpC5XP8XYzqT3X95MBEjohvPLhNmIzNTciLCJhdWQiOiJzcGxjaW52Zjlzdmg0ZDAXYAV2NrHoN2cwGym6HQdHFftt9XHXJnRmMTdmNS01OGZiLLbPH2yCvzfaV949r8qmU8jd1cxPVu9WTZB0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTddMzmvSMzd1nuMstQvdnCHCM27rtnS9ELCN4GXQiOjE3MjanwNnBtzaeBCY9ftDtCoDpyp3cTeK9DhNP5WJDTjCwKyJPGNTUnrna9ZUP24AkC6cZQRSYRsIjoiYW5kcmVzMjY2MTk5MUBnbWFpbC5jb20ifQ.K7qEAmmgqTFbjriZeTlng7wAfX4POjb1vA9f1cyVSJklaPg0fXc1Y2LZZLLSNDW5JDSZ-nYbad1SK4B8g-UzC5KGSjh7o9WIWkdtLbXByxCBJL-dhCP1Vsco6OYTKRdBuOUz4ZJ4qkQDogEFcH9d4brgsP6ao9LrNwNewsKx0kv-cmSM3GIiFc4J-RM3eWUgK07VfJyxQWYsWy_lelL49JzPQlf4TV3-J52zMNZUUszN9GPq6ZT3XxDkWqXtcijsLeVjLfk7eqeQDTfRwCeyxEo9GfwgDRQt6tx5h1dBJ2UM5r-1BK6vU19_5Sn8ZBk-rK0cbOznIBCmCDlNxA 1

Expected behavior

The generated tokens should have valid JSON payload and be usable.

Reproduction steps

  1. Init npm project
  2. install aws amplify: "aws-amplify": "^6.3.8",
  3. Run the specified code.

Important note: The issue appears randomly. On one account the generated tokens are valid, on another the generated tokens have invalid payload.

Code Snippet

// Put your code below this line.
import { signIn, fetchAuthSession } from "@aws-amplify/auth";
import { Amplify } from "aws-amplify";

Amplify.configure({
    Auth: {

        Cognito: {
            userPoolId: "MyUserPoolId",
            userPoolClientId: "MyUserPoolClientId",
        },
    },
});

async function main(){
    await signIn({
        username: "MyUsername",
        password: "MyPassword",
        options: {
            authFlowType: "USER_PASSWORD_AUTH",
        }
    });

    const { idToken } = (await fetchAuthSession()).tokens ?? {};

    console.log(idToken?.toString());

}

main();

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

cwomack commented 3 months ago

Hey, @alexhddev and sorry to hear you running into this. We've been trying to reproduce this on our side, but we're unable to reproduce an issue with the JSON payloads using both the code snippets you've provided for (we're assuming) Node.js for the main function as well as normal usage of fetchAuthSession().

Are you doing anything to modify the token content by chance? Or are you able to provide more reproduction details if not a minimal sample repo for this? Thanks.

alexhddev commented 3 months ago

Unfortunately, this issue is very hard to reproduce (on one AWS account it works, on another it doesn't) and most likely, it's a back-end issue, not a Amplify issue. The invalid tokens can also be generated using only the AWS console. I don't know what steps to take from now.

cwomack commented 1 month ago

@alexhddev, do you have any pre-token generation Lambda trigger hooks that are modifying the JWT in any way? Also, can you clarify which AWS console you're able to create the invalid tokens in?

cwomack commented 1 week ago

Closing this issue as we have not heard back from you. If you are still experiencing this, please feel free to reply back and provide any information previously requested and we'd be happy to re-open the issue.

Thank you!